Thanks a lot for your reply.

As per your suggestion i have changed the remote VPN ip pool, previously it was 172.16.1.51 to 172.16.1.100 and now it is 172.16.10.1 to 172.16.1.254 mask 255.255.255.0 but the problem is still continuing. Remote vpn user is getting 172.16.10.1 and default gateway 172.16.10.2 and in this condition Internet is not working.

I have added 172.16.10.0/24 in nat0 before putting in Remote VPN IP Pool.

Yes DNS servers are set for VPN client.

Hi Mukesh,

Please check the if the split tunnel is getting pushed correctly to the client. To check that you need to right on the yellow lock icon and click on statistic. In the statistic window check the route detail tab and make sure you see 172.16.1.0/24 there. if possible send me the following output:

show vpn-sessiondb remote

show run tunnel-group xyz (xyz should be replace with name of the tunnel-group)

sh run group-policy xyz (xyz should be replace with name of the group-policy)

If you have correct split tunneling access-list and you have the correct split tunnel pushed to the client then there is no reason that you will not be able to connect to the internet.

Thanks

Jeet Kumar

Thanks a lot Jeet and Santhosh your replies helped me. Thanks to all repliers.

This is the previous group policy: with this configuration remote users were getting default gateway

ASA-VTV# sh run group-policy VTVREMOTEVPN

group-policy VTVREMOTEVPN internal

group-policy VTVREMOTEVPN attributes

dns-server value 172.16.1.10 172.16.1.11

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelall

split-tunnel-network-list value VTVREMOTEVPN_splitTunnelAcl

default-domain none

ASA-VTV#

This is modified group policy: with this configuration remote users are not getting default gateway

ASA-VTV# sh run group-policy VTVREMOTEVPN

group-policy VTVREMOTEVPN internal

group-policy VTVREMOTEVPN attributes

dns-server value 172.16.1.10 172.16.1.11

vpn-filter value VTVREMOTEVPN_splitTunnelAcl

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VTVREMOTEVPN_splitTunnelAcl

default-domain value abcl.com

Hi,

The top configurations is specified to Tunnel All traffic as you can see from the "split-tunnel-policy tunneall". In this case the Split Tunnel ACL is ignored to my understanding.

The bottom configuration is specified to use Split Tunnel but I cant see the ACL specified there.

To my understanding you should be seeing routes on your actual computers routing table for the networks that are reached through the VPN.

On a Windows machine you can open the command prompt and issue the command "route print" to view the routes

Here is an example when I am connected to one Split Tunnel VPN (click to enlarge)

To my understanding there is no default gateway in the virtual VPN interface configurations as the host forward all the traffic that needs to be tunneled to the actual virtual interface and from there on in it heads through the VPN Connection.

Here is an example what the VPN Client Statistics/Route Details tells me

Both Internet and the remote network/host behind the VPN connection can be reached.

What does the above window show for you in your VPN Client when active?

- Jouni

if you have full tunnel VPN, you need to add the virtual-template 1 interface as a ip nat inside, so that it provides internet to the device connected to it